Cyber Security Best Practices through Segmentation and Rapid Disconnect

My RSS search on cyber security found an interesting post the other day by IBM’s Todd Watson entitled How To Keep the Internet Sky From Falling.
It’s especially interesting to me because I’ve had the chance to meet Todd who is also based here in Austin, Texas. He offered some great guidance in the early days when we were trying to launch the Emerson Process Experts blog.
The paper Todd referenced is by the Business Roundtable, Essential Steps Toward Strengthening America’s Cyber Terrorism. Although this paper is mainly concerned with the loss of the Internet and Wide Area Network capabilities, it does have thoughts that process manufacturers around the globe need to consider.
I ran Todd’s post by Bob Huba who is leading the efforts on cyber security as it applies to Emerson’s DeltaV system. He’s part of a newly formed cyber security testing consortium for the process industries.
Bob thought the paper as it applies to owners of control systems brought two points to mind. The first is to keep the control system completely segmented from internet traffic and the second is to not be dependent on information from outside the control system to perform basic control functions. This is especially true if the information required for control is coming from outside the facility over the internet.
As part of control system security best practices Bob always promotes the idea that in a crisis situation on the plant LAN, such as a serious worm or virus attack that could leak into the control system, you absolutely must be able to sever the external LAN connection(s) with the control system until the issue is resolved. The control system must be able to keep functioning at some acceptable level with this connection severed. This is why the recommended DeltaV approach is that the optimization and other supervisory type control tasks be done locally in the DeltaV system whenever possible.
This model is being used in universities and colleges where they have a “student LAN” for email, instant messaging, web access, etc. that is aggressively segmented from the main university system with very few interconnections. These connections can be highly secured and monitored. They can be easily and quickly severed if the “student LAN” gets infected or attacked so the main system can be protected.
This is the model used in the initial development of the DeltaV system and it is the model that is still enforced. The model is based on enforcing a high degree of segmentation between the control system network and plant LAN so that critical control system functions are safe-guarded as much as possible from threats originating on the business LANs. By using very limited external connections, these connections are easier to protect and monitor and can also be easily severed when necessary.
Bob has described more of these best practices in two whitepapers: DeltaV System Cyber-Security and Best Practices for DeltaV Cyber-Security.